Association of a Session object to a user is done by the container. Apart from calling getSession() method, a servlet programmer need not do any extra things.

This association is done by using a cookie called jsessionid that is sent by the container everytime in the response. The browser sends this back with every subsequent request, so the container can identify the session object for this user. If cookies are disabled in the client, then you have to use encodeURL()/encodeRedirectURL() methods to acheive this.

You can get this id using getSessionId() method in the HttpSession object.

NOTE: getSession(false) returns a HttpSession object only if a session already exists for this user. Else, it returns null.